Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method performed by a computing device comprising: in response to a request from a user to create a support account for a target instance on a public network: generating a key pair including a public key and a private key; creating, in the target instance, the support account; associating the public key with the target instance, including storing the public key in an authorized key list associated with the target instance; providing access to the private key, wherein the key pair can facilitate a connection to the target instance through the support account; generating temporary credentials associated with the target instance, wherein the request from the user includes permissions associated with the support account and an expiration time of the temporary credentials; and upon expiration of the temporary credentials, removing the support account from the target instance and disassociating the public key with the target instance, resulting in termination of current connections and barring future connections to the target instance through the key pair.
This invention relates to secure access management for cloud-based computing instances. The problem addressed is the need for temporary, controlled access to cloud instances for support or administrative purposes while ensuring security and automatic cleanup of access credentials. The method involves a computing device that, in response to a user request, generates a cryptographic key pair consisting of a public and private key. A support account is created within a target cloud instance, and the public key is added to the instance's authorized key list, enabling secure authentication. The private key is provided to the user, allowing them to establish a connection to the instance via the support account. Additionally, temporary credentials are generated with predefined permissions and an expiration time, as specified in the user's request. Upon expiration of the temporary credentials, the support account is automatically removed from the target instance, and the public key is disassociated, terminating any active connections and preventing future access through the key pair. This ensures that temporary access is revoked without manual intervention, enhancing security and reducing administrative overhead. The system automates the lifecycle of temporary support accounts, minimizing the risk of unauthorized access.
2. The method according to claim 1 , wherein generating the temporary credentials includes setting a timer and the expiration of the temporary credentials is triggered by an expiration of the timer.
A system and method for managing temporary credentials in a secure access control environment. The invention addresses the problem of unauthorized access to sensitive systems by providing time-limited credentials that automatically expire after a predefined period. The method involves generating temporary credentials for a user or device, where the credentials are tied to a timer. The expiration of the temporary credentials is triggered by the expiration of the timer, ensuring that access is automatically revoked once the timer reaches zero. This approach enhances security by eliminating the need for manual credential revocation and reducing the risk of prolonged unauthorized access. The system may also include additional security measures, such as multi-factor authentication, to further validate the identity of the user or device before granting access. The timer-based expiration mechanism ensures that temporary credentials cannot be reused beyond their intended duration, mitigating the risk of credential theft or misuse. The invention is particularly useful in environments where temporary access is required, such as guest accounts, temporary employee access, or third-party vendor access.
3. The method according to claim 1 , wherein the expiration of the temporary credentials is forced as a response to a user pre-emption request to discontinue the support account.
A system and method for managing temporary credentials in a support account framework addresses the need for secure and controlled access to support services. The invention provides a mechanism to generate temporary credentials with predefined expiration times, ensuring that access to support accounts is limited and time-bound. This prevents unauthorized or prolonged access, enhancing security. The method includes generating temporary credentials with an expiration time, validating these credentials upon access attempts, and automatically revoking access once the expiration time is reached. Additionally, the system allows users to manually force the expiration of temporary credentials in response to a pre-emption request, such as when a user wishes to discontinue the support account. This feature provides users with direct control over credential validity, further improving security and access management. The system may also include logging and monitoring capabilities to track credential usage and detect potential security threats. The invention is particularly useful in environments where temporary access to support services is required, such as customer support portals, IT service management systems, or cloud-based support platforms. By enforcing strict expiration policies and allowing user-initiated revocation, the system ensures that support account access is both secure and user-controlled.
4. The method according to claim 1 , wherein: disassociating the public key with the target instance includes removing the public key from the authorized key list.
A system and method for managing access to computing instances in a cloud environment addresses the challenge of securely controlling access to virtual machines (VMs) or other cloud-based resources. The method involves disassociating a public key from a target instance to revoke access, specifically by removing the public key from an authorized key list. This authorized key list is a collection of public keys that are permitted to authenticate and access the target instance. The disassociation process ensures that the public key is no longer recognized as valid for authentication, thereby preventing unauthorized access. The method may also include generating a new public-private key pair for the target instance, replacing the old key pair to further enhance security. This approach allows administrators to dynamically manage access permissions, ensuring that only authorized users can connect to the instance while revoking access for compromised or outdated keys. The system may also include logging and auditing features to track key associations and disassociations, providing transparency and accountability in access control. This method is particularly useful in cloud environments where secure and scalable access management is critical.
5. The method according to claim 1 , further comprising retrieving, from the instance, a system log, the system log containing actions performed on the instance through the support account.
A method for managing cloud computing instances involves monitoring and auditing actions performed on a cloud instance through a support account. The method includes retrieving a system log from the instance, where the system log records actions taken on the instance via the support account. This log retrieval enables tracking and verification of administrative activities, ensuring accountability and security in cloud environments. The method may also involve generating a support request for the instance, where the request includes a support account identifier and a support action to be performed. The support action is then executed on the instance using the support account, with the system log capturing these actions for later review. This approach enhances transparency and traceability of support operations, helping to detect unauthorized or malicious activities. The system log may include timestamps, user identifiers, and action details, providing a comprehensive audit trail for compliance and troubleshooting purposes. The method is particularly useful in multi-tenant cloud environments where multiple users or services interact with instances, ensuring that support-related changes are documented and verifiable.
6. The method according to claim 1 , wherein the connection to the target instance is through a network using a secure socket shell (SSH) protocol.
A system and method for securely connecting to a target instance over a network involves establishing a connection using the Secure Socket Shell (SSH) protocol. SSH is a cryptographic network protocol designed to provide secure remote access to systems, ensuring encrypted communication and authentication between the client and the target instance. The method includes initiating a connection request from a client device to the target instance, where the target instance may be a server, virtual machine, or other networked computing resource. The SSH protocol handles authentication, typically through public-key cryptography or password-based methods, to verify the identity of the client before establishing the secure session. Once authenticated, the connection allows for encrypted data transmission, preventing interception or tampering by unauthorized parties. This approach is commonly used in remote administration, cloud computing, and secure data transfer scenarios where confidentiality and integrity are critical. The method ensures that all communications between the client and the target instance remain protected from eavesdropping and unauthorized access.
7. The method according to claim 1 , wherein the key pair is based on a cryptographic algorithm.
A method for generating and managing cryptographic key pairs involves creating a key pair using a cryptographic algorithm. The key pair consists of a public key and a private key, where the private key is securely stored and the public key is used for encryption or digital signature verification. The method ensures that the private key remains confidential while allowing the public key to be shared for secure communication or authentication. The cryptographic algorithm used for key generation may include symmetric or asymmetric encryption schemes, such as RSA, ECC, or others, depending on the security requirements. The method may also include steps for key rotation, revocation, or backup to enhance security and manageability. The key pair generation process ensures that the keys are mathematically related, with the private key being computationally infeasible to derive from the public key, providing robust security for cryptographic operations. The method may be applied in various security protocols, including SSL/TLS, digital signatures, or key exchange mechanisms, to protect data integrity and confidentiality.
8. The method according to claim 1 , further comprising repeating each process to manage access to a plurality of target instances.
A system and method for managing access to multiple target instances in a computing environment. The method involves controlling access to a target instance by receiving an access request, determining whether the request meets predefined access criteria, and granting or denying access based on the determination. The method further includes repeating this process for multiple target instances, allowing centralized management of access permissions across a distributed system. The access criteria may include factors such as user authentication, authorization levels, time-based restrictions, or resource availability. The method ensures secure and efficient access control by dynamically evaluating each request against the criteria before permitting interaction with the target instances. This approach is particularly useful in cloud computing, enterprise networks, or multi-tenant systems where multiple users or services require controlled access to shared resources. The system may also log access attempts and enforce policies to maintain security and compliance. By repeating the process for each target instance, the method provides scalable and consistent access management across diverse computing environments.
9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations, the operations comprising: in response to a request from a user to create a support account for a target instance on a public network: generating a key pair including a public key and a private key; creating, in the target instance, the support account; associating the public key with the target instance, including storing the public key in an authorized key list associated with the target instance; providing access to the private key, wherein the key pair can facilitate a connection to the target instance through the support account; generating temporary credentials associated with the target instance, wherein the request from the user includes permissions associated with the support account and an expiration time of the temporary credentials; and upon expiration of the temporary credentials, removing the support account from the target instance and disassociating the public key with the target instance, resulting in termination of current connections and barring future connections to the target instance through the key pair.
This invention relates to secure access management for cloud-based or networked computing instances. The problem addressed is the need for temporary, controlled access to a target instance on a public network, such as for troubleshooting or support, while ensuring security and automatic revocation of access once the temporary period expires. The system generates a key pair (public and private keys) in response to a user request to create a support account for a target instance. The public key is stored in an authorized key list for the target instance, enabling secure connections using the private key. Temporary credentials are also generated, with permissions and an expiration time specified in the user's request. These credentials allow access to the target instance through the support account. Upon expiration of the temporary credentials, the support account is automatically removed from the target instance, and the public key is disassociated, terminating any active connections and preventing future access via the key pair. This ensures that temporary access is strictly time-bound and revoked without manual intervention, enhancing security for the target instance. The system automates the provisioning and deprovisioning of secure, temporary access, reducing administrative overhead and minimizing security risks.
10. The non-transitory machine-readable medium according to claim 9 , wherein generating the temporary credentials includes setting a timer and the expiration of the temporary credentials is triggered by an expiration of the timer.
A system and method for securely managing temporary credentials in a computing environment addresses the challenge of providing limited-time access to resources without compromising security. The invention involves generating temporary credentials with an expiration mechanism tied to a timer. When the timer expires, the temporary credentials automatically become invalid, ensuring that access is revoked after a predefined period. This approach enhances security by preventing unauthorized prolonged access and reducing the risk of credential misuse. The system may also include additional security measures, such as requiring user authentication before issuing temporary credentials and logging access attempts for auditing purposes. The timer-based expiration ensures that credentials are only valid for a specific duration, mitigating risks associated with lost or stolen credentials. This method is particularly useful in environments where temporary access is frequently granted, such as cloud computing, enterprise networks, or multi-factor authentication systems. By automating the expiration process, the system minimizes administrative overhead while maintaining robust security controls.
11. The non-transitory machine-readable medium according to claim 9 , wherein the expiration of the temporary credentials is forced as a response to a user pre-emption request to discontinue the support account.
A system and method for managing temporary credentials in a support account environment addresses the need for secure and controlled access to support services. The invention provides a non-transitory machine-readable medium storing instructions that, when executed, enable a computing device to generate and manage temporary credentials for accessing a support account. These credentials are automatically generated and have a predefined expiration time to limit access duration. The system also enforces the expiration of these credentials in response to a user request to discontinue the support account, ensuring immediate revocation of access. The method includes generating temporary credentials with an expiration time, validating the credentials upon access attempts, and forcing expiration if a user explicitly requests to terminate the support account. This ensures that access is revoked promptly, enhancing security and preventing unauthorized use. The system may also include additional features such as credential validation, access logging, and user authentication to further secure the support account environment. The invention is particularly useful in scenarios where temporary access is required, such as customer support, troubleshooting, or third-party service provision, ensuring that access is granted only for the necessary duration and revoked immediately upon user request.
12. The non-transitory machine-readable medium according to claim 9 , wherein: disassociating the public key with the target instance includes removing the public key from the authorized key list.
A system and method for managing public key authentication in a computing environment involves securely disassociating a public key from a target instance to prevent unauthorized access. The technology addresses the problem of maintaining secure access control in distributed systems where public keys may need to be revoked or updated. The method includes receiving a request to disassociate a public key from a target instance, verifying the requestor's authorization, and then disassociating the public key by removing it from the authorized key list associated with the target instance. This ensures that the public key can no longer be used for authentication. The system may also include a key management module that handles key storage, validation, and revocation processes. The method further ensures that only authorized users or processes can modify the authorized key list, preventing unauthorized changes. The solution is particularly useful in cloud computing environments where dynamic access control is required to maintain security. The process may involve additional steps such as logging the disassociation event for auditing purposes and notifying relevant parties of the change. The system ensures that public key authentication remains secure and manageable in dynamic computing environments.
13. The non-transitory machine-readable medium according to claim 9 , wherein the operations further comprise: retrieving, from the instance, a system log, the system log containing actions performed on the instance through the support account.
This invention relates to cloud computing systems and the management of support accounts used to access cloud-based instances. The problem addressed is the need to monitor and audit actions performed by support personnel on cloud instances to ensure accountability and security. The invention provides a method for tracking and retrieving system logs from a cloud instance, where these logs record actions taken by support personnel through a designated support account. The system log retrieval process is automated and integrated into the cloud management operations, allowing administrators to review the activities performed by support staff. This helps in maintaining transparency, detecting unauthorized actions, and ensuring compliance with security policies. The invention also includes mechanisms to store and analyze these logs for further security and operational insights. By centralizing and automating the retrieval of system logs, the invention improves the efficiency and reliability of support account monitoring in cloud environments.
14. The non-transitory machine-readable medium according to claim 9 , wherein the connection to the target instance is through a network using a secure socket shell (SSH) protocol.
This invention relates to secure remote access systems, specifically for managing connections to target computing instances over a network. The problem addressed is the need for secure, authenticated, and efficient remote access to computing resources, particularly in cloud or distributed computing environments where direct physical access is impractical. The invention involves a non-transitory machine-readable medium storing instructions that, when executed, enable a system to establish and manage secure connections to target computing instances. The system includes a connection manager that authenticates users and brokers secure connections to the target instances. The connection is established through a network using the Secure Socket Shell (SSH) protocol, ensuring encrypted communication and secure authentication. The system may also include a user interface for initiating and monitoring connections, as well as a logging mechanism to record connection details for auditing and security purposes. The target instances can be virtual machines, containers, or other remote computing resources, and the system ensures that only authorized users can access them. The SSH protocol provides a standardized, widely supported method for secure remote access, reducing the risk of unauthorized access or data interception. The system may also include additional security features, such as multi-factor authentication or role-based access control, to further enhance security.
15. The non-transitory machine-readable medium according to claim 9 , wherein the key pair is based on a cryptographic algorithm.
A system and method for secure data processing involves generating and managing cryptographic key pairs to enhance security in digital transactions. The key pair, which includes a public key and a private key, is derived from a cryptographic algorithm, such as RSA, ECC, or another asymmetric encryption scheme. The key pair is used to encrypt and decrypt data, ensuring confidentiality and integrity during transmission or storage. The system may include a key generation module that creates the key pair, a storage module that securely stores the private key, and an encryption/decryption module that applies the keys to protect data. The cryptographic algorithm ensures that the keys are mathematically robust, resistant to tampering, and suitable for various security applications, including authentication, digital signatures, and secure communications. The system may also include validation mechanisms to verify the authenticity of the keys and prevent unauthorized access. This approach addresses the need for reliable cryptographic protection in digital environments where data security is critical.
16. A system comprising: a processing system having at least one hardware processor, the processing system coupled to a memory programmed with executable instructions that, when executed by the processing system, perform operations comprising: in response to a request from a user to create a support account for a target instance on a public network: generating a key pair including a public key and a private key; creating, in the target instance, the support account; associating the public key with the target instance, including storing the public key in an authorized key list associated with the target instance; providing access to the private key to an administrator or technical support user, wherein the key pair can facilitate a connection to the target instance through the support account; generating temporary credentials associated with the target instance, wherein the request from the user includes permissions associated with the support account and an expiration time of the temporary credentials; and upon expiration of the temporary credentials, removing the support account from the target instance and disassociating the public key with the target instance, resulting in termination of current connections and barring future connections to the target instance through the key pair.
The system provides secure, temporary access to a target instance on a public network for administrative or technical support purposes. The system addresses the challenge of granting controlled, time-limited access to cloud-based or networked systems while ensuring security and preventing unauthorized persistent access. When a user requests a support account for a target instance, the system generates a cryptographic key pair consisting of a public key and a private key. The public key is stored in an authorized key list for the target instance, while the private key is provided to an authorized administrator or technical support user. This key pair enables secure connections to the target instance through the support account. Additionally, the system generates temporary credentials with predefined permissions and an expiration time, as specified in the user's request. Once the temporary credentials expire, the system automatically removes the support account from the target instance and disassociates the public key, terminating any active connections and preventing future access through the key pair. This ensures that support access is temporary and revoked after the authorized period, enhancing security and compliance. The system automates the provisioning and deprovisioning of support access, reducing manual intervention and minimizing the risk of unauthorized access.
Unknown
November 17, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.